Revision as of 13:30, 19 November 2012

Contents

Role Statement

Policy version 26 introduced two new role statements aimed at replacing the role dominance rule by making role relationships easier to understand. These new statements: attribute_role and roleattribute, are similar in operation to the attribute and typeattribute statements used for types and are defined in this section with examples.

role Statement

The role statement associates a role identifier to one or more types (i.e. authorise the role to access the domain or domains). Where there are multiple role statements declaring the same role, the compiler will associate the additional types with the role.

The statement definition is:

role role_id;

Or

role role_id types type_id;

Where:

role

The role keyword.

role_id

The identifier of the role being declared. The same role identifier can be declared more than once in a policy, in which case the type_id entries will be amalgamated by the compiler.

types

The optional types keyword.

type_id

When used with the types keyword, one or more type or attribute identifiers associated with the role_id. Multiple entries consist of a space separated list enclosed in braces ({}). Entries can be excluded from the list by using the negative operator (-).

For role statements, only type or attribute identifiers associated to domains have any meaning within SELinux.

The statement is valid in:

Monolithic Policy

Base Policy

Module Policy

Yes

Yes

Yes

Conditional Policy (if) Statement

optional Statement

require Statement

No

Yes

Yes

Examples:

# Using the role statement to define standard roles in the
# Reference Policy. Note that there are no domains associated
# with them yet.
role system_r;
role sysadm_r;
role staff_r;
role user_r;
role secadm_r;
role auditadm_r;
# Within the policy the roles are then associated to the
# required domains with this example showing the user_r role
# being associated to two domains:
role user_r types user_t;
role user_r types chfn_t;

attribute_role Statement

The attribute_role statement declares a role attribute identifier that can then be used to refer to a group of roles.

The statement definition is:

attribute_role attribute_id;

Where:

attribute_role

The attribute_role keyword.

attribute_id

The attribute identifier.

The statement is valid in:

Monolithic Policy

Base Policy

Module Policy

Yes

Yes

Yes

Conditional Policy (if]) Statement

optional Statement

require Statement

No

Yes

Yes

Examples:

# Using the attribute_role statement to declare attributes that
# can then refers to a list of roles. Note that there are no
# roles associated with them yet.
attribute_role role_list_1;
attribute_role srole_list_2;

roleattribute Statement

The roleattribute statement allows the association of previously declared roles to one or more previously declared attribute_roles.

The statement definition is:

roleattribute role_id attribute_id [ ,attribute_id ];

Where:

roleattribute

The roleattribute keyword.

role_id

The identifier of a previously declared role.

attribute_id

One or more previously declared attribute_role identifiers. Multiple entries consist of a comma (,) separated list.

The statement is valid in:

Monolithic Policy

Base Policy

Module Policy

Yes

Yes

Yes

Conditional Policy (if]) Statement

optional Statement

require Statement

No

Yes

No

Examples:

# Using the roleattribute statement to associate a previously
# declared role of service_r to a previously declared
# role_list_1 attribute_role.
attribute_role role_list_1;
role service_r;
# The association using the roleattribute statement:
roleattribute service_r role_list_1;